vCISO Pricing Strategy: How to Price Without Leaving Money on the Table

How much should a vCISO charge?

The short answer: most solo vCISOs charge between $200 and $500 per hour, or $5,000 to $15,000 per month on retainer. But the real question is not what to charge — it is how to structure your pricing so it reflects the value you deliver rather than the hours you spend.

What are the three vCISO pricing models?

1. Hourly billing

Hourly billing is the simplest model to start with. You track hours, invoice monthly, and the client pays for time consumed. Typical rates range from $200/hour for early-career consultants to $500+/hour for specialists with deep expertise in regulated industries.

The downside: hourly billing punishes efficiency. If you solve a problem in 30 minutes that used to take 4 hours, you earn less despite delivering the same (or better) outcome. It also creates unpredictable revenue — quiet months mean low income.

2. Monthly retainer

A fixed monthly fee for a defined scope of services. The most common range is $5,000–$15,000/month for small and mid-market clients. The retainer typically includes a set number of advisory hours, one assessment cycle per quarter, ongoing risk register management, and quarterly board reporting.

Retainers create predictable recurring revenue and align incentives with outcomes rather than hours. Most successful solo vCISOs transition to retainers within their first year.

3. Value-based packages

Package your services by deliverable rather than time. For example:

• Security Foundation Package ($8,000): Baseline assessment, risk register, 12-month roadmap, and executive briefing.
• Quarterly Advisory Package ($4,500/quarter): Risk register update, reassessment, board report, and ad-hoc advisory.
• Compliance Readiness Program ($15,000–$25,000): Full framework assessment, gap remediation guidance, policy development, and audit preparation for SOC 2 or ISO 27001.

Value-based pricing has the highest margins because your fee is anchored to the outcome, not the time. As your tooling improves and you get faster, margins increase without raising prices.

How do you decide which model to use?

Use hourly for project-based or ad-hoc work (incident response, one-time assessments). Use retainers for ongoing advisory relationships. Use value-based packages when the deliverables are well-defined and the client values outcomes over seat time.

Many consultants use a hybrid: a monthly retainer for ongoing work plus value-priced add-ons for specific projects (compliance readiness, incident response retainer, vendor risk program buildout).

When should you raise your rates?

Raise your rates when:

• You are at or above 80% utilization — if you are turning away work, you are underpriced.
• You have not raised rates in 12+ months — inflation and market rates move; your pricing should too.
• You added a credential or specialization (CISSP, CISM, specific industry expertise).
• You invested in tooling that improves deliverable quality — a professional platform makes your output look like a $500/hour practice.

Apply new rates to new clients immediately. For existing clients, give 60–90 days notice and frame it as an investment in improved capabilities, not just a cost increase.

How does tooling affect your pricing?

The biggest leverage point in vCISO pricing is delivery efficiency. If a board report takes 8 hours to build manually, that is 8 hours of unbillable admin (or 8 hours billed at a lower effective rate). With a structured delivery platform, the same report takes 30 minutes, and it looks better.

This is why platform investment matters: it does not just save time, it increases your effective hourly rate on every engagement. A consultant using CisoDeck at $129/month who saves 10 hours per client per month is creating thousands in additional capacity.

The pricing mistake most consultants make

Underpricing. New vCISOs consistently price 30–50% below market because they anchor to their previous salary rather than the value they deliver. A full-time CISO costs $250K–$400K. You are providing equivalent expertise at a fraction of the cost. Price accordingly.